Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings given below:

"Controller" means you, the ComplianceKit customer, who determines the purposes and means of processing personal data.
"Processor" means ComplianceKit, who processes personal data on behalf of the Controller.
"Personal Data" has the meaning given in Article 4(1) GDPR: any information relating to an identified or identifiable natural person.
"Processing" has the meaning given in Article 4(2) GDPR.
"Data Subject" means the natural person to whom Personal Data relates — typically visitors to your website.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
"Sub-processor" means any third party engaged by the Processor to process Personal Data under this DPA.
"Services" means the ComplianceKit platform as described in the Terms of Service.

2. Parties

Data Controller

The ComplianceKit customer who has accepted these terms upon registration. Contact details are those provided in your ComplianceKit account.

Data Processor

ComplianceKit
Email: legal@compliancekit.tech
Address: [Company Address]

3. Subject Matter and Duration

This DPA governs the processing of Personal Data by ComplianceKit (Processor) on behalf of the customer (Controller) in connection with the provision of the Services.

This DPA commences on the date the Controller accepts it (upon account registration) and continues for as long as the Processor processes Personal Data on behalf of the Controller, unless terminated earlier in accordance with the Terms of Service.

4. Nature and Purpose of Processing

ComplianceKit processes Personal Data for the following purposes:

Recording and storing cookie consent decisions made by your website visitors
Processing Data Subject Access Requests (DSARs) submitted through your website
Generating compliance reports and analytics related to consent activity on your website
Hosting and delivering your cookie consent banner to your website visitors
Scanning your website to identify cookies and tracking technologies

5. Types of Personal Data Processed

The following categories of Personal Data may be processed under this DPA:

Consent records: Visitor pseudonymous identifier (UUID), IP address, browser user agent, consent preferences (categories accepted/rejected), consent timestamp, consent method (accept all / reject all / custom)
DSAR submissions: Requester name, email address, phone number (if provided), description of the request, any additional information provided by the data subject
Technical data: IP addresses collected during consent recording (personal data under GDPR)

Note: ComplianceKit does not process any special category data (Article 9 GDPR) unless you explicitly provide such data in DSAR descriptions or notes.

6. Categories of Data Subjects

The Personal Data processed under this DPA relates to:

Visitors to the Controller's website(s) who interact with the consent banner
Individuals who submit Data Subject Access Requests through the Controller's DSAR form

7. Obligations of the Processor

ComplianceKit, as Processor, agrees to:

7.1 Process Only on Documented Instructions

Process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do so by law.

7.2 Confidentiality

Ensure that personnel authorised to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

7.3 Security (Article 32 GDPR)

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

Encryption of data in transit (TLS/HTTPS)
Encryption of data at rest
Access controls limiting data access to authorised personnel
Regular assessment and testing of security measures
Ability to restore availability and access to Personal Data in the event of a physical or technical incident

7.4 Sub-processors (Article 28(2) GDPR)

Not engage Sub-processors without prior specific or general written authorisation of the Controller. The Controller hereby provides general authorisation for the Sub-processors listed in Section 9 of this DPA. ComplianceKit will inform the Controller of any intended changes to Sub-processors with reasonable notice, giving the Controller the opportunity to object.

7.5 Data Subject Rights

Assist the Controller (by appropriate technical and organisational measures) in fulfilling the Controller's obligation to respond to requests by Data Subjects exercising their rights under Chapter III GDPR, including rights of access, rectification, erasure, restriction, portability, and objection.

7.6 Security Assistance

Assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor. This includes notifying the Controller without undue delay after becoming aware of a Personal Data breach.

7.7 Deletion or Return of Data

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies, unless applicable law requires storage of the Personal Data.

7.8 Audit

Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

8. Obligations of the Controller

The Controller agrees to:

Ensure that it has a lawful basis for processing Personal Data through the Services
Ensure that Data Subjects have been informed about the processing of their Personal Data in accordance with Articles 13 and 14 GDPR (e.g., through your Privacy Policy)
Comply with all applicable data protection laws in connection with its use of the Services
Ensure that instructions given to ComplianceKit do not violate GDPR or other applicable law

9. Sub-processors

The Controller hereby authorises ComplianceKit to engage the following Sub-processors:

Sub-processor	Purpose	Location
Supabase / PostgreSQL	Database storage of consent records and DSAR submissions	EU / US (configurable)
Resend	Transactional email delivery (DSAR notifications)	US
Railway	Application hosting and compute	US / EU

ComplianceKit will provide at least 14 days' notice before adding or replacing Sub-processors. Notice will be provided by email to the address registered on your account.

10. International Data Transfers

Some Sub-processors listed above are located outside the European Economic Area (EEA). Where Personal Data is transferred to countries not providing an adequate level of data protection, ComplianceKit ensures appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the European Commission
Reliance on the recipient country's adequacy decision where applicable

11. Data Breach Notification

In the event of a Personal Data breach (Article 4(12) GDPR), ComplianceKit will notify the Controller without undue delay and, where feasible, not later than 72 hours after becoming aware. The notification will include, to the extent available:

A description of the nature of the breach, including categories and approximate number of Data Subjects and records affected
The name and contact details of the Data Protection contact point
The likely consequences of the breach
The measures taken or proposed to address the breach

The Controller is responsible for assessing whether the breach must be notified to the relevant supervisory authority and/or to affected Data Subjects.

12. Data Retention and Deletion

ComplianceKit retains Personal Data for the duration of the active subscription. Retention periods for consent records are determined by the Controller's subscription plan:

Free: 7 days
Starter: 30 days
Professional: 1 year
Enterprise: 3 years

Upon account deletion or termination of the Services, Personal Data will be deleted within 30 days, except where longer retention is required by law.

13. Liability

Each party shall be liable to the other for any damage caused by a breach of this DPA. ComplianceKit's total liability under this DPA is subject to the limitations set out in the Terms of Service.

Where both parties are responsible for damage caused by a breach of this DPA, they shall be held liable and each party may seek from the other party that part of the compensation corresponding to the part of the damage for which that party is responsible.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service between the parties.

15. Changes to This DPA

ComplianceKit may update this DPA from time to time to reflect changes in law, Sub-processors, or Services. We will notify Controllers of material changes at least 30 days in advance by email. Continued use of the Services after the effective date of any change constitutes acceptance.

16. Contact

Data Protection contact: legal@compliancekit.tech

Support: support@compliancekit.tech

Address: [Company Address]

By accepting this DPA during registration, the Controller acknowledges that they have read, understood, and agree to be bound by its terms. Acceptance is recorded with a timestamp in the Controller's account record.